CVE-2025-10641 identifies a critical security vulnerability in EfficientLab's WorkExaminer Professional software, specifically versions up to 4.0.0.52001. The vulnerability arises because all traffic between the monitoring clients, the console client, and the server is transmitted in plaintext without any encryption. The monitoring clients send data to the server using unencrypted FTP on port 12304, and the console communicates with the server on port 12306 also without encryption. This cleartext transmission violates secure communication principles and corresponds to CWE-319 (Cleartext Transmission of Sensitive Information). An attacker with access to the same network segment can perform passive eavesdropping to capture sensitive monitoring data, which may include user activity logs, credentials, or other confidential information. Furthermore, the attacker can actively modify the data in transit, potentially injecting false information or disrupting monitoring operations. Exploitation does not require user interaction or authentication, but network access is mandatory. No CVSS score has been assigned yet, and no official patches or mitigations have been published by EfficientLab. The vulnerability affects all deployments running vulnerable versions, especially in environments where network segmentation or encryption is not enforced.

The impact on European organizations using WorkExaminer Professional can be significant. Confidentiality is compromised as sensitive monitoring data is exposed to any attacker with network access, potentially leaking employee activity, credentials, or proprietary information. Integrity is also at risk since attackers can modify data in transit, undermining the reliability of monitoring reports and possibly masking malicious activities. Availability could be indirectly affected if attackers disrupt communication channels or inject malformed data causing software malfunctions. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, face increased compliance risks and potential legal consequences. The vulnerability is especially critical in environments where internal networks are flat or where remote access solutions do not enforce encryption. Given the lack of encryption, attackers inside corporate networks or those who gain access via compromised devices can exploit this vulnerability with relative ease. The absence of known exploits in the wild reduces immediate risk but does not diminish the urgency for mitigation.

Until EfficientLab releases an official patch, European organizations should implement the following mitigations: 1) Enforce strict network segmentation to isolate WorkExaminer Professional servers and clients from untrusted or less secure network segments. 2) Deploy VPNs or encrypted tunnels (e.g., IPsec, TLS-based VPNs) to secure all traffic between monitoring clients, consoles, and servers, effectively adding encryption at the network layer. 3) Restrict access to ports 12304 and 12306 using firewalls and access control lists to limit communication only to authorized devices. 4) Monitor network traffic for unusual patterns or unauthorized connections to these ports. 5) Consider replacing or supplementing WorkExaminer Professional with monitoring solutions that support encrypted communications if immediate patching is not feasible. 6) Educate IT and security teams about the risks of unencrypted monitoring traffic and the importance of securing internal communications. 7) Regularly audit network configurations and software versions to ensure vulnerable versions are identified and upgraded promptly once patches become available.